Security & privacy

wiz≡r connects to your bank through Plaid, the industry-standard bank-connection service used by Venmo, Robinhood, Chime, and thousands of other regulated fintech apps. Plaid is SOC 2 Type II certified.

• You authenticate with your bank inside the Plaid Link UI — your username, password, and any MFA codes never touch wiz≡r servers.
• Plaid issues us a token that we use to fetch read-only transaction data.
• wiz≡r cannot move money. It can only read.

• Encryption at rest. Sensitive data is encrypted with AES-256-GCM.
• Encryption in transit. All client-server traffic uses TLS 1.2 or 1.3. HTTP is permanently redirected to HTTPS.
• Database isolation. The production database is on a private path on a hardened VPS, not shared with other tenants.
• Backups. Daily automated encrypted backups, with offsite copies stored in Backblaze B2 — and a tested disaster-recovery procedure.

• Passwords. Stored as BCrypt hashes with cost factor 12. Plaintext passwords are never logged.
• Sessions. JSON Web Tokens (JWT) signed with HMAC-SHA256, configurable expiration (default 1 hour).
• Multi-factor authentication. Optional TOTP-based MFA, compatible with Google Authenticator, 1Password, and any standards-compliant authenticator app.
• Account verification. Email verification is required before account activation.

• We do not sell, rent, or share your transaction data with advertisers or data brokers.
• We do not store your bank login credentials.
• We do not have the ability to move money out of your accounts.
• We do not run third-party analytics that profile individuals across the open web.